{"id":"CVE-2023-26053","summary":"Gradle usage of long IDs for PGP keys opens potential for collision attacks","details":"Gradle is a build tool with a focus on build automation and support for multi-language development. This is a collision attack on long IDs (64bits) for PGP keys. Users of dependency verification in Gradle are vulnerable if they use long IDs for PGP keys in a `trusted-key` or `pgp` element in their dependency verification metadata file. The fix is to fail dependency verification if anything but a fingerprint is used in a trust element in dependency verification metadata. The problem is fixed in Gradle 8.0 and above. The problem is also patched in Gradle 6.9.4 and 7.6.1. As a workaround, use only full fingerprint IDs for `trusted-key` or `pgp` element in the metadata is a protection against this issue.","aliases":["BIT-gradle-2023-26053","GHSA-c724-3xg7-g3hf"],"modified":"2026-04-10T04:56:39.108948Z","published":"2023-03-02T03:11:31.488Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26053.json","cwe_ids":["CWE-829"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26053.json"},{"type":"ADVISORY","url":"https://github.com/gradle/gradle/security/advisories/GHSA-c724-3xg7-g3hf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26053"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230413-0002/"},{"type":"FIX","url":"https://github.com/gradle/gradle/commit/bf3cc0f2b463033037e67aaacda31291643ea1a9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gradle/gradle","events":[{"introduced":"61d3320259a1a0d31519bf208eb13741679a742f"},{"fixed":"7f9380f27d6dc6a1ee6dfc466b834b0408d0b0c4"}],"database_specific":{"versions":[{"introduced":"6.2"},{"fixed":"6.9.4"}]}},{"type":"GIT","repo":"https://github.com/gradle/gradle","events":[{"introduced":"d5661e3f0e07a8caff705f1badf79fb5df8022c4"},{"fixed":"3905fe8ac072bbd925c70ddbddddf4463341f4b4"}],"database_specific":{"versions":[{"introduced":"7.0.0"},{"fixed":"7.6.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26053.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}]}